"The Shape and Size of Threats: Defining a Networked System's Attack Surface"

Previous Technical Report Name:"Quantifying Attack Surface Through Systemic Dependencies Analysis"
Technical Report number:1120004
Date of Publication: 2014-10-21
Title of Publication: "The Shape and Size of Threats: Defining a Networked System's Attack Surface"
Abstract: "As we have created increasingly complex and layered ser- vices, we have made it increasingly difficult to quantify their vulnerability to compromise. The concept of “attack surface” has emerged in recent years as a measure of such vulnerabilities. However, given the high degree of interdependencies among networked systems, a way to systematically quantify their attack surfaces remains an open challenge. In this work we propose a methodology to quantify the attack surface of such systems by identifying their systemic dependencies, and we use two real Internet standards (the X.509 CA verification system and DANE) as case studies to illustrate the efficacy of our methodology. We find that, with conscientious design, one can minimize attack surface vulnerabilities without sacrificing availability, and our method- ology suggests that DANE can quantifiably reduce attack surface by up to three orders of magnitude for some popular websites today, when compared to X.509 CA verification. We believe this work represents the first step towards systemically modeling dependencies of actual Internet net- worked systems in order to formally quantify the often elusive notion of a system’s attack surface."
Proceedings or Venue of Publication: NPSEC '14 Proceedings of the 2014 9th IEEE Workshop on Secure Network
BibTeX:
@inproceedings{verisignlabs-conf-1120004,
                   author = {Eric Osterweil and Danny McPherson and Lixia Zhang},
                   title = {The Shape and Size of Threats: Defining a Networked System's Attack Surface},
                   booktitle = {NPSEC '14 Proceedings of the 2014 9th IEEE Workshop on Secure Network },
                   year = {2014},
                   }
  
            
File: New work ./docs/conf-1120004.pdf